Risk information output device, information output system, risk information output method, and recording medium
US-2024414180-A1 · Dec 12, 2024 · US
Finding command and control center computers by communication link tracking
US9344443B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-9344443-B1 |
| Application number | US-201514704750-A |
| Country | US |
| Kind code | B1 |
| Filing date | May 5, 2015 |
| Priority date | Feb 5, 2014 |
| Publication date | May 17, 2016 |
| Grant date | May 17, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Methods, systems, and apparatus, including computer programs encoded on computer storage media for identifying malware attacks collects data traffic information. A system receives data traffic information indicative of communications between computers within a network and computers external to the network. The system parses the data traffic information to identify communication links between the computers within the network and computers external to the network. The system can generate communication link profiles for each of the computers within the network. The system can then group computers within the network into computer clusters based on similarities between the communication link profiles for each computer. The system can identify computer clusters having anomalous communication patterns as being indicative of a malware attack.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method, comprising: receiving data traffic information on communications between a set of internal computers with a set of external computers, wherein the set of internal computers are located within a network, and the set of external computers are outside the network; parsing the received data traffic information to identify communication links between the internal computers and the external computers, each communication link comprising an act by an internal computer to communicate with an external computer or an act by an external computer to communicate with an internal computer; determining a communication link profile for each of the internal computers using the identified communication links; grouping the internal computers into a plurality of computer clusters based on similarities in communication link profiles for each internal computer, wherein computers having communication link profiles that reach a threshold level of similarity are grouped into a same cluster; identifying a particular internal computer that is located within the network but is not a part of the set of internal computers; identifying communication links between the particular internal computer and one or more of the external computers; determining a communication link profile for the particular internal computer using the identified communication links between the particular internal computer and the one or more of the external computers; and assigning the particular internal computer to a first computer cluster of the plurality of computer clusters based on the communication link profile for the particular internal computer having a threshold level of similarity to communication link profiles of internal computers in the first computer cluster. 2. The method of claim 1 , further comprising: identifying a second computer cluster as including internal computers having communication link profiles indicative of a malware attack based on a shared property of the communication link profiles of the internal computers in the second computer cluster. 3. The method of claim 2 , further comprising: in response to identifying the second computer cluster as including internal computers having communication link profile patterns indicative of a malware attack, identifying one or more external computers from the set of external computers that are in communication with the internal computers from the first computer cluster as command and control center computers supporting the malware attack; storing identifiers of the identified command and control center computers on a list of identified command and control center computers; and restricting communications between the internal computers and the identified command and control center computers. 4. The method of claim 1 , wherein determining a communication link profile for each of the internal computers includes generating an n by m communication matrix, wherein the n by m communication matrix includes n number of rows and m number of columns, the n by m communication matrix indicates communications between the internal computers and the external computers, and each row of the n rows of the n by m communication matrix is associated with an internal computer and each column of the m columns in the n by m communication matrix is associated with an external computer. 5. The method of claim 4 , wherein identifying a communication link profile for each of the internal computers further includes factorizing the n by m communication matrix into an n by k matrix having n number of rows and k number of columns and a k by m matrix having k number of rows and m number of columns, wherein k is an integer smaller than n. 6. The method of claim 1 , wherein grouping the internal computers into a plurality of computer clusters based on similarities in communication link profiles for each internal computer includes identifying that each internal computer in a particular computer cluster communicated with a same number of external computers during a specified time period. 7. A non-transitory storage device storing instructions operable to cause one or more computers to perform operations comprising: receiving data traffic information on communications between a set of internal computers with a set of external computers, wherein the set of internal computers are located within a network, and the set of external computers are outside the network; parsing the received data traffic information to identify communication links between the internal computers and the external computers, each communication link comprising an act by an internal computer to communicate with an external computer or an act by an external computer to communicate with an internal computer; determining a communication link profile for each of the internal computers using the identified communication links; grouping the internal computers into a plurality of computer clusters based on similarities in communication link profiles for each internal computer, wherein computers having communication link profiles that reach a threshold level of similarity are grouped into a same cluster; identifying a particular internal computer that is located within the network but is not a part of the set of internal computers; identifying communication links between the particular internal computer and one or more of the external computers; determining a communication link profile for the particular internal computer using the identified communication links between the particular internal computer and the one or more of the external computers; and assigning the particular internal computer to a first computer cluster of the plurality of computer clusters based on the communication link profile for the particular internal computer having a threshold level of similarity to communication link profiles of internal computers in the first computer cluster. 8. The non-transitory storage device of claim 7 , the operations further comprising: identifying a second computer cluster as including internal computers having communication link profiles indicative of a malware attack based on a shared property of the communication link profiles of the internal computers in the second computer cluster. 9. The non-transitory storage device of claim 8 , the operations further comprising: in response to identifying the second computer cluster as including internal computers having communication link profile patterns indicative of a malware attack, identifying one or more external computers from the set of external computers that are in communication with the internal computers from the first computer cluster as command and control center computers supporting the malware attack; storing identifiers of the identified command and control center computers on a list of identified command and control center computers; and restricting communications between the internal computers and the identified command and control center computers. 10. The non-transitory storage device of claim 7 , wherein grouping the internal computers into a plurality of computer clusters based on similarities in communication link profiles for each internal computer includes grouping the internal computers into the plurality of computer clusters such that each computer cluster comprises a subset of internal computers communicating with a set of external computers at a frequency that is different from a frequency of communication between other internal computers and other external computers. 11. The non-transitory storage device of claim 7 , wherein determining a communication link profile for each of the internal computers includes generati
Assignees
Inventors
Classifications
in which an application is distributed across nodes in the network (software deployment G06F8/60; multiprogramming arrangements G06F9/46) · CPC title
Profiles · CPC title
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Grouping of entities · CPC title
Terminal profiles · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9344443B1 cover?
- Methods, systems, and apparatus, including computer programs encoded on computer storage media for identifying malware attacks collects data traffic information. A system receives data traffic information indicative of communications between computers within a network and computers external to the network. The system parses the data traffic information to identify communication links between th…
- Who is the assignee on this patent?
- Pivotal Software Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 17 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).